Suppose I'm going to do something that needs access to NHibernate's ISession. For example running a Sql query via ISQLQuery or running a LINQ-to-NHibernate via session.Linq<MyType>(). I know there is 2 way to access ISession:
ActiveRecordMediator.GetSessionFactoryHolder().CreateSession()
ActiveRecordMediator.Execute()
What is the pros and cons of each one? additionally is there another alternative ways?
I can't think of any technical reason to prefer one over the other, however ActiveRecordMediator.Execute is the documented way.
BTW you don't need any of this to do LINQ queries, you can use Castle.ActiveRecord.Linq instead.
Related
And, if I can, does that mean I lose my advantage of treating the results as objects? I find complex queries confusing in many ORMs, not just Django's. But, it is probably because I have never really used an ORM. Does anyone use straight up SQL anymore?
edit: Am I defeating the purpose of having a framework if I bypass the ORM completely? They all have a "nifty" ORM, but when it comes to queries with lots of subqueries, derived tables, it doesn't look pretty.
Using Django's QuerySet API you have different possibilities:
You can use extra() which will return a queryset which evaluates to model objects. Therefore it is, as the name says, somehow limited, because for returning model instances it is necessary to eg. query the model's table. But you have the possibility to add additional SQL eg. the WHERE or ORDER clause. Querysets that use extra() can still use the features of the ORM - like chaining multiple filter() for example.
raw() returns a RawQueryset which also can be iterated over to get model instances, but you loose a lot of features that the ORM would normally provide.
And of course you can execute SQL directly, using a low level connection cursor API (no model instances of course).
Study the documentation on raw queries, there's also a lot of information on eg. how to map a model's fields on the data coming from a raw query and documeting a few gotchas when passing parameters into the query.
To also answer your edited question: I wouldn't use raw SQL when you can do it with the ORM, but of course the ORM is limited and if you need to do some more complex stuff you will always have to switch to SQL (but sometimes using extra() is enough-so you can still use the advantages of the ORM). Don't forget that the ORM works with every DB backend, while the custom SQL might not work with every database.
You can use raw SQL to either return objects; or if you want you can bypass the ORM completely.
I need to perform queries that can be very complex, and I wanna make sure linq/queryOver can handle it.
what's the limitations and abilities I can't get with linq and can get with sql/hql ?
There isn't a list of limitations, other than the list of open bugs in Jira.
if you are performing complex queries, HQL is usually the best way to go.
However complex the query is you cna ultimately convert it toa QueryOver it might just get a little difficult and hard to read, but then you have a very strongly typed API.
Having said that you can always use HQL on your object model to achieve the same.
Session.CreateQuery("").List<>();
if that is difficult then there is always SQL to do the same.
Session.CreateSqlQuery("").ExecuteUpdate<>();
Session.CreateSqlQuery("").List<>();
My gut tells me that advanced NHibernate users would be against it and I have been looking for actual analysis on this and have found nothing, I'd like for the answer to address these questions:
What are the pros/cons of using it?
Are there any performance implications, both good or bad (e.g. use it to call stored procedures?)
In which scenarios should we use/avoid it?
Who should use/avoid it?
basically, what are the reasons to use/avoid it and why?
CreateSQLQuery exists for a reason, which is executing queries that are either:
Not supported
Hard to write
using any of the other methods.
Of course it's usually the last choice, because:
It's not object oriented (i.e. you're back to thinking of tables and columns instead of entities, properties and relationships)
It ties you to the physical model
It ties you to a specific RDBMS
It usually forces you to do more work in order to retrieve entities
It doesn't automatically support features like paging
But if you think it's needed for a particular query, go ahead. Make sure to learn all the other methods first (HQL, Linq, QueryOver, Criteria and Get) to avoid doing unnecessary work.
One of the main reasons to avoid SQL and use HQL is to avoid making the code base dependent on the RDBMS type (e.g. MySQL, Oracle). Another reason is that you have to make your code dependent on the table and column names rather than the entity names and properties.
If you are comparing raw SQL to using the NHibernate LINQ provider there are other compelling reasons to go for LINQ queries (when it works), such as type safety and being able to use VS reference search to determine in what queries a certain table or column is referenced.
My opinion is that CreateSQLQuery() is a "last way out" option. It is there because there are things you cannot do with the other NHibernate APIs but it should be avoided since it more or less goes against the whole idea of using NHibernate in the first place.
Plain-vanilla NHibernate setup, eg, no fluent NHibernate, no HQL, nothing except domain objects and NHibernate mapping files. I load objects via:
_lightSabers = session.CreateCriteria(typeof(LightSaber)).List<LightSaber>();
I apply raw user input directly to one property on the "LightSaber" class:
myLightSaber.NameTag = "Raw malicious text from user";
I then save the LightSaber:
session.SaveOrUpdate(myLightSaber);
Everything I've seen says that yes, under this situation you are immune to SQL injection, because of the way NHibernate parameterizes and escapes the queries under the hood. However, I'm also a relative NHibernate beginner so I wanted to double-check.
Thanks!
Yes, you're almost immune to SQL injection when using NHibernate. It uses parameterized queries for all generated SQL statements on all platforms that support these.
You can, however, circumvent this by using custom SQL for insertions/updates, or by executing SQL with a variation of execute_sql of some sort, or SQL Queries without parameters.
You're safe as long as you don't plug user input directly into HQL or SQL: nothing else (of the functionality hibernate provides) will allow users to inject malicious code.
Just to echo others, if you let NHibernate generate your SQL you're safe, at least in theory.
However, you still need to be careful with stored procedures, triggers, and functions in the database particularly with dynamic SQL. Even though the client uses parametrized queries everywhere, injection may still possible.
I am creating a quick and dirty prototype (C#) of an object-relational mapping tool. I would like to support at least two kinds of databases - one will be Microsoft SQL Server 2005/2008 and the other most probably MySQL.
Is there any way to use a single data base access mechanism for both database engines and what would it be?
Of course, I know that there will be differences in SQL query syntax, but in my case it is not that important - I'll use a tool to generate SQL queries which suit the certain db engine and user will be able to optimize those SQL queries.
The main idea is to have as flexible data provider solution as possible. Can it be done or not and how can it be done easier?
Note that I am not using this for a production system, just for a prototype, but still I'm curious how it is achieved in production OR/M tools - are they using completely separate access mechanism for each data provider or there are something common? And are they using DataReaders or there is some more appropriate way to retrieve data if I intend to transform data to business objects?
Thanks for any ideas, links etc.
Ok, I found it:
http://www.15seconds.com/issue/040127.htm
the solution is to use IDbxxx or Dbxxx as described in msdn.microsoft.com/en-us/library/ms379620(VS.80).aspx
Now I can specify only once what kind of DataProvider I use and then just use Db/IDb everywhere else.
I recommend nhibernate - which does what you want I think.
nhibernate.info